CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

vulnersOsv•added 2026/06/02 9:0 p.m.•4 views

autotel-adapters (>=0.2.10 <=0.3.1), autotel-audit (>=0.1.2 <=0.1.11) +8 more potentially affected by unknown CVE via autotel (>=3.0.0 <=3.3.1)

autotel NPM version =3.0.0, =0.2.10, =0.1.2, =0.12.10, =2.12.10, =0.0.10, =0.4.10, =0.4.16, =0.19.10, =1.13.11, =0.4.10, =0.4.22 Source cves: unknown CVE Source advisory: SNYK:JS-AUTOTEL-17146458...

5.5AI score

Snyk•added 2026/06/02 9:0 p.m.•7 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score

vulnersOsv•added 2026/04/08 12:14 a.m.•3 views

0xble (>=21.4.1 <=22.1.2), 5e-srd-tools (>=0.0.4 <=0.0.34) +2122 more potentially affected by CVE-2026-39356 via drizzle-orm (>=0.11.6 <=0.45.1)

drizzle-orm NPM version =0.11.6, =21.4.1, =0.0.4, =0.0.1, =0.1.0, =0.1.0, =1.0.10, =0.22.5, =0.1.0, =1.16.47, =1.16.47, =0.19.0, =1.0.0, =1.0.0, =0.0.6, =1.1.1-0 - @aeriondyseti/mcp-memory =0.1.0 and more Source cves: CVE-2026-39356 Source advisory: OSV:GHSA-GPJ5-G38J-94V9...

7.5CVSS5.4AI score0.00392EPSS

Snyk•added 2026/04/08 12:14 a.m.•4 views

SQL Injection

Overview drizzle-orm is a Drizzle ORM package for SQL databases Affected versions of this package are vulnerable to SQL Injection through the escapeName handling in the PostgreSQL, SQLite, and SingleStore dialects. An attacker can inject arbitrary SQL by supplying a malicious identifier to...

9.8CVSS6.2AI score0.00392EPSS

vulnersOsv•added 2026/04/08 12:14 a.m.•7 views

0xble (>=21.4.1 <=22.1.2), @10xsai/ts-serverless (>=0.1.0 <=0.1.1) +1509 more potentially affected by CVE-2026-39356 via drizzle-orm (>=0.37.0 <=0.45.1)

drizzle-orm NPM version =0.37.0, =21.4.1, =0.1.0, =0.1.0, =1.0.10, =0.22.5, =0.1.0, =1.16.47, =1.16.47, =0.19.0, =1.0.0, =0.0.6, =0.1.0, =0.4.2, =0.2.0, =0.14.5 and more Source cves: CVE-2026-39356 Source advisory: SNYK:JS-DRIZZLEORM-16000009...

7.5CVSS5.4AI score0.00392EPSS

EUVD•added 2026/04/08 12:14 a.m.•5 views

EUVD-2026-19909

Drizzle ORM has SQL injection via improperly escaped SQL identifiers...

7.5CVSS5.9AI score0.00392EPSS

Github Security Blog•added 2026/04/08 12:14 a.m.•7 views

Drizzle ORM has SQL injection via improperly escaped SQL identifiers

Summary Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled...

Exploits0References3Affected Software1

OSV•added 2026/04/08 12:14 a.m.•1 views

GHSA-GPJ5-G38J-94V9 Drizzle ORM has SQL injection via improperly escaped SQL identifiers

NVD•added 2026/04/07 8:16 p.m.•8 views

Exploits0References3

CVE-2026-39356

7.5CVSS0.00392EPSS

Vulnrichment•added 2026/04/07 7:58 p.m.•4 views

CVE-2026-39356 SQL Injection via escapeName() in all Drizzle ORM SQL dialects

ATTACKERKB•added 2026/04/07 7:58 p.m.•9 views

CVE-2026-39356

Exploits0References2Affected Software1

CVE•added 2026/04/07 7:58 p.m.•17 views

CVE-2026-39356

CVE-2026-39356 affects Drizzle ORM. Prior to 0.45.2 and 1.0.0-beta.20, dialect-specific escapeName() did not escape embedded SQL identifier delimiters before quoting, enabling injection when attacker-controlled input reaches APIs that construct SQL identifiers or aliases (e.g., sql.identifier(), ...

Exploits0References1Affected Software1

Cvelist•added 2026/04/07 7:58 p.m.•17 views

CVE-2026-39356 SQL Injection via escapeName() in all Drizzle ORM SQL dialects

7.5CVSS0.00392EPSS

CNNVD•added 2026/04/07 12:0 a.m.•6 views

drizzle-orm SQL注入漏洞

Drizzle-ORM is a lightweight, multi-database-supported TypeScript ORM project developed by the Drizzle Team. Versions of drizzle-orm prior to 0.45.2 and 1.0.0-beta.20 contain a SQL injection vulnerability. This vulnerability arises from the improper escaping of SQL identifiers in the escapeName...

Positive Technologies•added 2026/04/07 12:0 a.m.•6 views

PT-2026-31003

Snyk•added 2026/04/01 9:19 p.m.•1 views

Exploits0References3

SQL Injection

Overview @payloadcms/drizzle is an A library of shared functions used by different payload database adapters Affected versions of this package are vulnerable to SQL Injection via the endpoints accepting dynamic query for Collections. An attacker can access sensitive information or modify data by...

8.5CVSS6AI score0.00317EPSS

vulnersOsv•added 2026/04/01 9:19 p.m.•2 views

@adenta/cms (>=0.0.6 <=1.1.1-0), @ainsleydev/payload-helper (>=0.0.6 <=0.3.2) +24 more potentially affected by CVE-2026-34747 via @payloadcms/drizzle (>=3.0.0-beta.100 <=3.79.0)

@payloadcms/drizzle NPM version =3.0.0-beta.100, =0.0.6, =0.0.6, =3.22.1, =3.37.0, =1.0.0, =3.53.0, =3.61.1-2, =3.50.0-internal.ca62628, =3.0.0, =3.0.0, =3.0.0, =1.0.1, =1.0.2 and more Source cves: CVE-2026-34747 Source advisory: SNYK:JS-PAYLOADCMSDRIZZLE-15873854...

8.5CVSS5.8AI score0.00317EPSS

Snyk•added 2026/02/05 8:51 p.m.•3 views

SQL Injection

Overview @payloadcms/db-vercel-postgres is a Vercel Postgres adapter for Payload Affected versions of this package are vulnerable to SQL Injection when querying JSON or richText fields. An attacker can extract sensitive information and gain unauthorized access to user accounts by injecting crafte...

9.8CVSS5.8AI score0.00453EPSS

Snyk•added 2026/02/05 8:51 p.m.•4 views

SQL Injection

Overview @payloadcms/db-postgres is a The officially supported Postgres database adapter for Payload Affected versions of this package are vulnerable to SQL Injection when querying JSON or richText fields. An attacker can extract sensitive information and gain unauthorized access to user accounts...

9.8CVSS5.8AI score0.00453EPSS